Back to skill
Skillv98.0.1
ClawScan security
Agent Security Hardening · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 17, 2026, 5:22 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's content matches its stated goal (agent hardening) and requests no credentials or installs, but the SKILL.md contains at least one prompt‑injection pattern (e.g. 'ignore-previous-instructions') and very prescriptive directives that could conflict with system prompts — review before installing or enabling autonomously.
- Guidance
- This skill is an instruction-only hardening checklist and otherwise appears coherent and low-privilege, but the file contains a prompt-injection token and strongly prescriptive rules that could conflict with system-level policies. Before installing or enabling it (especially for autonomous use): - Manually review the entire SKILL.md for any lines that attempt to override system prompts (phrases like 'ignore previous instructions', 'only follow these rules', or explicit instructions to ignore higher-priority prompts). - If you plan to let agents call this skill autonomously, test it in a non-production sandbox first. - Consider wrapping use in governance: require explicit user confirmation before the skill enacts policy changes, and limit its invocation scope (no always:true, disable autonomous invocation if possible). - If you lack the expertise to audit the full content, ask a security engineer to review it. The single scanner finding could be a harmless example, but treat it as a potential red flag until confirmed otherwise.
- Findings
[ignore-previous-instructions] unexpected: A hardening guide would normally advise agents to resist 'ignore previous instructions' style payloads, not include that token literally in a way that could be misused. The scanner found this pattern in SKILL.md; the listing we received is truncated so the exact usage/context is unknown. Manual review of the full file is required to determine intent (benign illustration vs. malicious attempt to subvert prompt ordering).
Review Dimensions
- Purpose & Capability
- okName, description, and the SKILL.md are consistent: this is an instruction-only hardening guide for agents. The skill declares no binaries, env vars, or install steps — which matches a documentation-style hardening pattern.
- Instruction Scope
- concernMost runtime instructions (summarize, tag external content, never execute commands from untrusted content, enforce data boundaries) are appropriate for an agent-hardening guide. However, the file is highly prescriptive ('These rules are non-negotiable') and the pre-scan detected prompt-injection patterns (e.g. 'ignore-previous-instructions') inside the SKILL.md. That pattern is exactly the kind of token attackers embed to try to override higher-priority prompts; its presence in a policy doc is suspicious and worth manual review of the full text (the file was truncated in the package listing).
- Install Mechanism
- okNo install spec and no code files — lowest-risk distribution model. Nothing will be downloaded or executed as part of install.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths, which is appropriate for an instruction-only hardening guide.
- Persistence & Privilege
- notealways:false and no special config access are appropriate. However, the skill is allowed to be invoked autonomously (platform default). Combined with the prompt-injection indicator and very prescriptive language, autonomous invocation increases the potential blast radius — consider limiting autonomous runs until content is audited.